Nexmo.com provides messaging and voice solutions, such as SMS gateway functionality, and has prominent customers like Airbnb. On May I found a serious security vulnerability on their website that enables anyone to reset the password of any account on Nexmo.com by knowing the accounts email address and thus to take over an account and see what SMS messages were sent by the account, happily use credits of the account, et cetera.

I tried to figure out how to contact them about the security vulnerability, they don't have a dedicated site about security nor how security researchers can contact them, like Github and many others have (https://help.github.com/articles/github-security/). Which make me think about how important security is to that company, but anyway.

So I ended up writing to their general-purpose support email address describing that I've found a highly severe security vulnerability related to password resets and would like to get in touch with someone from their IT security department or similar. And here's what they replied:

"Thanks for your email - this challenge has finished already, but we appreciate you contacting us."

Wait ... this "challenge" has finished already? What the serious f*?!

So I replied and explained to them that my inquiry isn't about a "challenge" but a serious security hole on their site.

Finally, it seemed that they understood what I wanted and they replied with the following:

"Thanks for letting us know about this, as a result of your email we are investigating it internally. If we need any further information from you we will let you know."

The reply seemed a bit weird to me. Why don't just get in touch with me so I can explain the vulnerability? I respected their answer.

As of today, the security vulnerability is still present. How can you as a company just simply not even care about security and customer information?

I'm Marco and I work in the ops team at Nexmo. I have found your initial email to our Support team, and I can see that there have been some changes in our dashboard related to your report. I am not sure it's fixed because I don't have the details about the vulnerability you discovered, but I do know that initially we were resetting the user password straight away after a request. This is no longer the case - the email address now receives a reset link. If your report is still relevant despite this new procedure, I am very happy to receive the details.

Also, I would like to respond to the complaints that "we don't care about security". This is simply not true and we even use a bug bounty reward program. We do care and we accept reports through https://cobalt.io/ (ex CrowdCurity), so if you share with us your username/email on cobalt, we can add you to our program.

I totally agree we fucked up handling your report better back in may. I hope you are still willing to work with us!

I'm so happy I finally have a person to talk to that seems to understand me.

Thanks for providing me the link to cobalt.io. I've never heard of that platform before. I just registered. My username is sebi

I'd think it would strengthen the position that you care about security if you would dedicate a page on your site to security. Would really like to see something like that. Not only as a security researcher, but also as a customer of yours.

I worry that "we do care about security" is increasingly insufficient. It's one thing to care about security, another to think that you take it seriously, and another to actually take it seriously.

Depending on the application, the amount of resources you should be expending on security is often times multiple times what a naive person would expect. Security is tricky and subtle, and most people don't realize how wrong they are when it comes to doing things securely.

I'm Esben, cofounder and chief product officer at Cobalt (https://cobalt.io). I can confirm that Nexmo has been running a bug bounty program with us for more than a year now. They have rewarded researchers and are in general keeping a good response time through the program.

They have now also added a link "Report Vulnerability" in the footer of nexmo.com linking directly to the program, making it easy for everyone to find it.

I created an account long time ago which comes with x amount of $ for free. Somehow it got below the threshold, and Nexmo sends me an email every single day about my low account balance and tells me to add money. Since unsubscribing required me to login, now all the mail goes to spam folder.

I have never gotten results by attempting to use a company's regular support channels. Best bet is to research who works there in a capacity that would actually be concerned about security issues.

On Nexmo's leadership page[0] I found their CTO, Eric Nadalin. A little LinkedIn search got me his profile[1]. Searching his name shows a lot of sites that would allow you to reach out to him (e.g. AngelList, Facebook, Twitter, etc.)

If that does not work, try reaching out to some of the companies that are Nexmo's clients. Even if Nexmo does not care, you can be sure that most of their clients will care, and they will definitely have the attention of Nexmo.

I've had similar negative results with their support a few months back on a project I was working on. Long story short is we switched to Twilio as a result. Their response time for a high priority ticket was embarrassing. I don't know if it's related to growing pains or bad timing but for commodity services like this where it's so easy to switch to a competitor on a whim (we were only using their SMS gateway service) it's critical to stay on top as it's tough to create brand loyalty unless your support is amazing. One of the reasons I'm fiercely loyal to Stripe even if a competitor may be cheaper... their support is amazing.

We've been a nexmo customer for a few years and support has definitely gone downhill. I rarely get any support request resolved anymore. Many simply go unanswered. We're looking for another global sms provider.

I had a similar problem some months ago with a prominent blogging platform and I ended up sending an email to the tech contact in their WHOIS. I got a response in less than one minute from a guy who wasn't working directly for the company, but for their hosting provider. He got the security issue fixed in something like three days.

I am not 100% sure about the legal details, but Nexmo as a company has a bug bounty reward program, so I assume in our case it doesn't apply because we want to know what's wrong and we request responsible disclosure (usually after the fix is in production).
You can see it here: https://cobalt.io/nexmo (yes, it isn't yet linked from our www).

LOL I expected that. Simple reason: we have received a good number of reports for our dashboard and some of them are still open mostly because they are not top priority. Needless to say we accept all reports and reward them accordingly to severity. :)

Does HackerOne[1] let you report vulnerabilities if the company isn't already signed up? Like, would they help facilitate interactions with the company, allowing some sort of public disclosure timeline?

Did you ask them for money? Did you describe the nature of the bug you discovered? Hard to believe a company will ignore a "I can reset any account's password" bug report. And if you're asking for a bounty, maybe they just can't afford to pay it.

The problem is, companies get a tonne of emails like this - usually from crackpots who think that they've found a vulnerability when they haven't.

May I suggest an email which establishes your credentials and gives a bit more details - without necessarily telling a customer service agent the full details.

For example:

> My name is Bob, I'm a security researcher at FooCorp. I've discovered a serious security vulnerability with your XYZ system. It is possible to reset customers' accounts without any authorisation. I've been able to replicate this on test account abc@123. I think this is caused by a misconfigured widget. Please can you forward this message on to your head of security. You can see my previous security work at http://....

Something like that may be more likely to get some positive attention.

I am not sure why all this hate, as I said we fucked up the way the initial ticket has been handled and it's sorted now. :P FYI we plan to release the fix shortly and sebiw has already been rewarded via our official bug bounty program.

The parent was offering general advice for working with companies, and I was offering a general observation about that advice (namely, don't admit to technically-a-crime unless you know you're working with someone in good faith). Nothing personal, and it sounds like you guys have handled things professionally :-)

Edit: In particular and to clarify, my negative experience was not with your company.

Since I went through something similar recently, one of the best things to do is to get in touch with the CERT local to the company and tell them what the issue is. They can be pretty effective in pushing companies to solve the problem.

I'm no security researcher and have def never found a zero-day , but I think this is the thinking in the industry I identify with. Someone went out of their way to research this vulnerability and spent time on documenting and testing it. They then have the ability to own whatever infrastructure this leaves opened. So, they did the security teams job and helped out.

They then take time to repeatedly contact you with sufficient documentation and the offer for more of their time for free to walk you through it. Twice. Security consultants get paid a lot of money and this service is offered for free of charge because of some hackers curiosity.

The next step is not usually full disclosure but often, "I have written this blog post detailing the vulnerability and intend to post it in N days unless I hear from you" Then it is pretty fair game for full disclosure.

No. Even though the company does not care about their lack of security, the OP could risk opening himself up to legal issues if he announces the exploit and provides enough detail for it to be exploited.

I'm not going to research specific statutes for you, if that's what you are asking. But some examples off the top of my head...

Assume for the sake of argument that Nexmo is based in the UK. Using this exploit to access someone else's Nexmo.com account would be a violation of the Computer Misuse Act.

Writing a blog post detailing exactly how you achieved this would be a public admission of violating the Computer Misuse Act.

Another example: Person A publishes instructions detailing how to exploit this issue. Person B follows the steps, and causes financial harm to Nexmo. Nexmo sues Person B for exploiting their systems, and also names Person A in the lawsuit because their publication led directly to Person B's actions.

I'm not certain either of these cases would hold up in court, but there is certainly a risk that Nexmo would take the second approach. In the OP's shoes, the safest thing is not to publish. I'm not saying that's the right choice - just the safest from a legal perspective.

The people you need to reach are the software developers that maintain the system. It's probably best to try signed contract one of them through social media.

Yes there are companies that don't care about security. Often these mean that the software was built or operated by people with an agency/consulting background who care more about whether the software works.

Yes and no. This is a bug and a high severity bug once exploited. But as long as the main software product works "well enough" for a customer to pay for the development and be happy with it, an agency doesn't care. The prioritization of security varies by industry

That said, my point is moot since it's a bug in a security fix. From the other comments Nexmo is going through some growing pains as it transitions into the enterprise and their IT department is struggling with prioritization.

You guys shouldn`t give up on reporting vulnerabilities to businesses. It`s a highly important work that should be treated accordingly! It affects everybody and keeps the internet safer.
Cobalt.io seems to be doing a great job in this area, maybe you could contact them and they can reach to the business and help your voice be heard.

Why not just send an email with the vulnerability information instead of playing email tag. Why not send an email with something like "I found a problem with feature XYZ and here are the steps to reproduce and using these steps I can do ABC". Problem solved.